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<H.) Rehated \ppeali> ami Interferences 

she appdhirst h> ur au arc <y a n f ycjls or i itc e'ec>„^ .elatee *a the abo, c- identified 
patent application. 

(Mi t States of Claims 

fhn ss an appeal Ironi the decision of the Primary Examiner in aa Office Actios dated 
April 18, 2006, rejecting claims 1-39, ail of the- claims in the application. Claims 1-39 are the 
subject of this appeal. 

(lv,) Status of Amendments 

Appellant -filet! a Reply to the Final Office Action of April 19, 2006, amending claims 1 
and 16 to correct the informalities pointed out by the examiner and to incorporate a portion of the 
preamble into the body of those claims. 

In aa advisory action dated July 20, 2006, the examiner did run enter the amendment 
indicating that amendments to claims 1 and 16 required further consideration and or search: 
Appellant elected to Hie a Notice of Appeal (October 10, 2006) and Appeal Brief on February 
i 3, 2007. The claims on appeal are those that existed prior to the final action of July 20, 2006. 

in response to Appellant's Appeal Brief the examiner re-opened prosecution in an Office 
action dated June 26, 2007. Appellant has elected to re-i.nst.aic the appeal and has filed a new 
Notice of Appeal herewith, 

(v.) Samsnary of Claimed Subject Matter 

One aspect of Appellant's invention is set out in claim 1 as a gateway device disposed 
between a data tenter and a network for th waiting denial of service attacks on the data center, the 
gateway device comprises a computing device, ^The arrangement 10 to protect the victim 
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.v. v : v> ;>/ ce/ifer 2¥ that communicates with and controls gateways 26 and dcna 
collectors 28 disposed in the network 14, The arrangement protects against DoS attacks via 
1 '\c > . o. < -<J <<,}. t'.i,' <n 4 ->t, ' «u >^/'<t',\ 

Inventive features of claim 1 include a monitoring process that monitors network traffic 
through the gateway. v TAe gateway 26 includes a monitoring process 32 (FIG, 68} that 
monitors traffic that passes through the gateway ... 

Inventive features of claim I also include a communication process thai communicates 
statistics collected in the gateway from the monitoring process with a control center and thai 
receives queries or instructions from the control center. as well as a communication process 
33 that can communicate statistics collected in the gateway 26 with the data center 242* 

Inventive features of claim 1 also include a filtering process to insert filters on network 
devices to filter out packets that the gateway deems to be part of an attack. *7w addition, the 
gateway 26 can include processes 35 to allow an administrator to insert filters to filter out, i.e., 
discard packets that the device deems to be pari of an attack, as determined by heuristics 
described below"* 

Claim 16 

Another aspect of Appellant's invention is set out in claim 1 6 as a method of protecting a 
victim site during a denial of service attack. Appellant 's originally filed claims and summary 
discuss a method. 

Inventive feavnres of claim 16 include disposing a gateway device between the victim site 
and a network. "Referring to FIG. 2, details of an exemplary deployment of a gateway is shown. 
>)- \ u *v *«s uk piuH >« v a 1 1 h'><>\\ otsmh deployments would depend on 

<. % ; (V a c ^ , o> «. i w. " < t> " " > 

executing on a device, e.g... a computer 27 that is disposed at the edge of the data center 20 
behind an edge router at the edge of the internet 143* 



' Appellant's specification Page 5, lines 5 7-22. 

J Id. Page 7, lirsss 10-13, 
* Id. Page 7, iises 17-2-8, 
5 kL Page 6, lias 2? to Page ?, Ime 2, 
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Inventive ts.\uurt.'5 iT churn 16 also include monitoring network traffic through the 
gateway and measuring heuristics of the network traffic to provide statistics .network, traffic. This 
feature finds support as the analogous feature of claim 1 . 

inventive features of claim 16 also include communicating die statistics collected in the 
gateway to & control center. This feature finds support as the analogous feature of claim 1. 

Inventive features of claim 16 also include filtering out packets that the gateway or 
control center deems to be part of an attack. This feature finds support as the analogous feature 
of claim .1. 

QMm..W. 

Another aspect of Appellant's invention is set out in claim 29 as a computer program 
product residing on u computer readable medium for protecting a victim site during a denial oi 
service attack, comprises instructions for causing a computer device coupled at an entry to the 
site to, "The gateway 26 and data collector 26 are typically software programs that are 
executed on devices suck as computers, routers, or switches. 

Inventive features of claim 29 include instructions to monitor network traffic sent to the 
victim site and measure heuristics of the network traffic to provide statistics on the network 
traffic. This feature finds support as the analogous feature of claim I. 

Inventive features of claim 16 also include instructions to communicate statistics 
collected in the computer device to a control center. This feature finds support as the analogous 
feature of claim L 

Inventive features of claim 16 also include instructions to filter out packets that the 
device or control center deems to be part of an attack. This feature finds support as the 
analogous feature of claim I. 

(v.L) Grounds of Rejection to be Reviewed on Appeal 

(1) Claims 1.16 and 29 are provisionally rejected on the ground of non-statutory double 
patenting over claims 1, 9, 18 and 21 of co-pending Application No. 09/931,291. 



id. Fags 9, lines 
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v 2,- t.^.s , 5 .v ; oi.» 2? *a piousionaliy rejected on the ground of non-statutory double 
patenting over claims 1, 3 and 4 of co-ponding Application No. 10/066,252. 

(3) Claims 1-39 stand rejected under 35 U.S.C. bu\g i\p <~ei J>,v* Ovc 

Pearson (US 0,990,59]), and further in view of Chertton (US 7,1 20.931 }. 

(vit.) Argument 

,{ It is well established that the "burden is on die PTO to establish a prima facie showing of 
obviousness, k a /-Wttdi, 972 F.2d. 1260, 23 U.S.P.Q.2d 17S0 (C.C.P.A., :972j7" 

In KSK Inhmiattonai Co. v Tele/lex Inc., 550 U.S. , {2007;, the Supreme Court 

reversed a decision by the Court of Appeal's for the Federal Circuit decision that reversed a 
summary judgment of obviousness on the ground that the district court had not adequately 
identified a motivation to combine two prior art references. The invention was a combination of 
a prior art rvpositiooahle gas pedal with prior art electronic (rather than mechanical cable) gas 
pedal position sensing. The Court first rejected the "rigicr teaching suggestion motivation 
{TSM} requirement applied by the Federal Circuit, since the Court's obviousness decisions had 
all ad^ca-oe j "tkvbie" and " functional" Jipproach that eauuoncJ agamst "yraanng '. paten* 
baied on t he combination of elements found in the prior art." 

With respect to the genesis of the TSM requirement, the Court noted that although "As is 
clear from cases such as Adams 7 , a patent composed of several elements is not proved obvious 
merely by demonstrating that each of its elements was, independently, known in the prior art. 
Although common sense directs one to look with care at a patent application that elairos as 
innovation the combination of two known devices according to their established .functions, it can 
be important to identify a reason that would have prompted a person of ordinary skill in the 
relevant field to combine the elements in the way the claimed new invention does. This is so 
because inventions in most, if not all, instances rely upon building blocks long since uncovered, 
and claimed discoveries almost of necessity will be combinations of what, in some sense, is 
already known." 



' Uniied States v. Adams, 383 U. S. 39, 40 (1966) 



In application of the !SM requirement, the Court cautioned that; ^Helpful insights, 
however, need not become rigid and mandatory formulas: and svheo it .is so applied, the TSM tes 
is incompatible with our precedents." 

"T he mere fact that the prior art could be so modified would act have made the 
modification obvious unless the prior art suggested the de^rahihtv 01 the modif <.anou." in re 
Gordon 221 U.S.P.Q. 1125, 1127 i'Fed. Cir. ;984). 

Although the Commissioner suggests thai (the structure in the 
primary prior art reference) could readily be modified to form the 
[claimed] structure, "[fjhe mere fact that the prior art could be so 
modified would not have made the modification obvions unless the 
prior art suggested the desirability of the modification." In re 
Laskowskuiv U.S.P.Q. 2d 1397,' 1398 (Fed. Cir. 1989). 

The claimed invention must be considered as a whole, and the question is whether there 
is something in the prior art as a whole to suggest the desirability, and thus the obviousness, of 

making the combination." Lindemann Maschinenfabrik GMBH v, American Hoist dc Derrick, 
22) U.S.P.Q. 48 1,488 (Fed. Cir. 1984). 

Obviousness cannot be established by combining the teachings 
of the prior art to produce the claimed invention, absent some 
teaching or suggestion supporting the combination. Under Section 
103, teachings of references can be combined only if there is some 
suggestion or incentive to do so. ACS Hospital Systems, Inc. v. 
Mowefiorc Hospital, 111 U.S.P.Q. 929. 933 (Fed. Cir. 1984} 
(emphasis in original, footnotes omitted). 

"The critical inquiry is whether 'there ts something in the prior art as a whole to suggest 
the desirability, and thus the obviousness, of making the combination.'" Fromson v. Advance 
Offset Plate, hie., 225 U.S.P.Q. 26, 31 {Fed. Cir. 1985). 
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SNo. : 09/931,344 

U* Claims S, 16 and 2** were provisional!} 
refused on the i>mund of non-&tatutorv double 
patenting ostr claims 1. 9, 18 and 21 *»f co 
ponding \ppiication No. 09/93 1,29 J. 

X »V« t v x v. \ Jo 1 „me!\ si kruvvvt; o* - tetrad J- »« l.iracv upon indication of 
nO.\v si ( v ot matter. 

{1$ claims I, 16, and 29 were provisionally 
rejected on the ground of non-statutory double 
patenting over chums 1, 3 and 4 of co-pending 
Application No. 10/066,252. 

Appellant x> ill consider timely submission of a terminal disclaimer upon indication of 
vabie subject matter. 

<3) Claims .1-39 are not obvious over any 
combination of Pearson with Cheriton. 

Claims 1,3.4. 14. 16, I S. 19 and 28 

Qaimi. 

For d\e purposes of this appeal only, claims !, 3, 4, 14, IS, 16, 18, 19 and 28 stand or fall 
d Claim 1 is representative of this group of claims. 

Claim ! is directed to a gateway device disposed between a dam center and a network for 
* r> denial of service attacks on the data center, with the gatew ay including a computing 
, v 5 earson taken in any combination with Cheriton, neither describes nor suggests a 
i »ng device that includes "\ . a communication process that communicates statistics 
^ f j in the gale-way from the monitoring process with a control center and thai receives 
vs t\f instructions from the control center and a filtering process to insert filters on network 
v s to filter out packets thai the gateway deems to be part of an attack." 

The examiner contends that: 



As per dai«! h 
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discloses jjjte* s> do i ice d^poseti fsetivcon a d.si. ; cente-t ,nv.t a r.ef v> «rk So? 
i^wartin^ (ipfliai «f sei\ioo sitacks on th«. data center, tht j>ate>s.i', tloi: :■ eorsipiiv<; 

.a fi»otj{toi-isg piwrrt th:si i)H)iii!t}fN nonvotk traffic thr-»u«h - Ue saievwij; :eoi.f«, 
5:«e-s. Peas^-i! disch)*v.-<. a cwntnHisication ds.-.;ee \i>b h refct riss" to a 
«su tire* ail <»r otht-r devices thai t<.rntn:inieate<i data hereof wif to- raort 
fieri ». 51):- firt'o a!f a«d jnti u^iaa detection tuncttiHiaKi) >)!" I'-'txuniiitticuiieK tierce 
pnj'wfi the resource* o! LAN fioni i«>tc«tiaf hackers. fhiK use d.-iftsed safc*,^ 
e.Bf hereinafter rcftr ti» the lurntastMieatiufi diVo.^ H»o.} 

a corsHWit-ieaiit'ss pro»'«.s.N thai fjiiumuaicalc staristies. tpJiette-d so the yitK'>3> 
irot.o the ni»!iitw;n<- ps .«csv (tui. 8, fines t<i-S5a»ci cof. H\ Issses 45-50} ^iiii a 
control tenter ant? that receives fjutrics or Basts, onit-sss frotii tht maim: cefsier; 
tines, 55-62; eoi.« ht.oA i !-!7: MCI teotssn.iler 112?; 

and coi.20. iotes 4t>-Sfl: l\arwa thscfttM.^ Site ret-soter tssorittot iisj: censer tiiAJC) 
fJO ^suTipriy * several coa>pnnei»ts that pieAicle fiific?iwt*iiU> fos earrjlrijv out 
sarUssis t.isk\ teok e, limm 42-55). ! lie RMC i<> the etais-fted co«rtei eeotcr where ii : e 

o5 and coi. io, lines 2o-2ou 

Mii \a n'teriBg price's* it- insert Ssf ices oft «ei v ct k devices to tlt-cr t'«t o.'ckiris} 
tha= iK i>atevj>> sfeent-> t« be pan tfi an attack, Susies i f-So and cot 3«. f-r.t.s 

36-53} 

Vianon discloses a pi edetenuioLtl fevei of network seeo!:H. -a.:; is, >:Kistiton:iS 

hue* 5o-o4>\vhm Uk RM(. opuathe in r^pon-c t« the sekcti-w lo oae of t»i 
seSeetatsie it-f«nt> i«?>eJs i» aatomaiicallj ooafi«ui - t tiie eo-nmsinkstiofi ;fe\Ke ir. 
Bimsitur for certain sMerteier mmed tfiieats and io pru\ ttie certain prc(>ct«-rrahu ;l 
r-.-spos«ts i k ii'iei "-i2). Further. I'fijrson tfisdoses resa^ie iisjeif^ tnas b-; 
snti^are iip|ii!t!iii');> pr»j>i^im ior I'kissifx itss; a»(i hantiitn^ kicnisfkxi iw'iiiitj ri>k» 
{coi. !8, tir.es 21-24), Ihus. i't-iirstm MJSgeMs ^eivirti\rf> i:'iafi««ft itt jrt«itit<-j eettsiti 

Peat \ot> icetii-s to su^ge^t the ciainied a Siitersiiy j wnss to fiket oat p,se;-.ct^ 
.us s=st! isuicn sietectwr Ssid that aSi e«tn»«tu«.-8t!«m are jiLiij/i-d .ml i-(n»part-i$ to 
ttte Usi ai k>«'v>u stiackx (eol,9. imc* H-Sti anil vok i*. !iiK><: .tt>-5.'.>. 

55<r.ve\>:S', T ! eat"i«» liicl :wi pariictiSariv sibet^ses. u fsitv>r»ia process to i-ssert 
tot^vioss »: i^ork liesiees t« fitter out itte threats.. 

Ckeritoa dLscioses protia^atini; fiSUn. '<> ao e-im rfeiiee os-oipt t^.« 
j;i.sera!<s)fi :t filter at a fits! rt>.l«ork itt\iee «hete a compare* pri>«iasf; pi-uJiiCt tor 
i>e«-.isth!<; fitters h'wi ae.tih/sti act work flo*<, ccnerati* rurapii^t. t'Kiv tint 
Main** Siarjstiai «ct^«»-k fl<w& to proes)t nef»t)rk ;]<»>s fr-isii ^.s^ir." ttiroayh the 
i5: S^ork (ie^ice tcoiJ, 2<»-43>. CheHivi) itisef-i.v^ s s tiiier h is^ested into a 
sirs. ■>> all «<cjtvd l»cti>ce« a t "liter and ph!fa!it> of icfiors so data :i;et>rttiiij; is 
fiUered ». reduce ihv powfb«iit> of profiietssi m the fiet^urk ieol.3, isae* ^i??>. Tfce 
i-!\«aii is preferatjij a jacket filtering tlrcwaii l)ut maj abe- bt. 3 pro*.} 
{ijipHcafkiiis fireftail (col, 1 *, line* 20-25}. .Network ik\ite m<t> alw be router- sad 
sv^fehe'- Hrses 58-t^ and cof.5. itrtvi 20-Ml). Ciu-riiosi U^eSoses, rttat otiee s 

jroisp »sf packets ;ste identified .sv hasniftik iitv eot ttipottrfissji sit'i^ork fiow s c-itt he 
anaix/ed 10 further rcftrse the filter and ihcreiWe isistirwtt of i.ftet jag ant at- data 
isrrsustj; fsom tht idefltitied oipa»:/atioa. otsij iksisucme s>ackers ret: heti trot:! she 
,!>.::>f(! attar ker tfe drcijipcii tent.", tines 1S-24 ,ioil ii-tifi}. 

t Jicrefort. it uottlt! hcrve beea ot'>ic«^ for a ptss.o!; .rf j>rds:»»r> $iJUt ia the at" 
so --snibsne ffce t>uchia<; of Pear<.oti wit's i iserfiots »•) toatfi iH»erti«s ttie fiitcr fn .s 
ssci<-ork device s«eh a 1 - a tit bewi^c an^h/cs hars«f<i; netwotk 0o^'- ti> 
pse.csii rsetoorf. fSovs from pa^inj; through the tiwt^ork device ;.cot,2, lit:es 2 s i- 
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a««i :ise<i!?ii!is W filtered to reduce the possibility of problem;; in the net work 
fcoi.3; lines 38-53). 8 

The alleged combination of Pearson with Cheriton fails to describe or suggest a 
communication process that communicates statistics collected in the gateway by the monitoring 
process to a control center and that receives queries or instructions iron - the control center. The 
examiner contends that Pearson discloses this feature by; communication proems that cMnsauitsc&ie 

■iiatistics eotieetcil m the gateway from the mwitforiBg process {e»»i.8. lines 16-15 a»d col. 59. lines 45-50} with a control 
center astd that receives qnerics »r instructions from She control cutter; (col.7. lines 55-62; c»LV, hfle* 1 M7: KKi.i 

{was roller it 2s. M Appellant disagrees. Pearson discloses a conventional intrusion detection 
mechanism." Cheriton also fails to disclose this feature.*" Neither of these disclosed 
mechanisms however correspond to an arrangement by which a gateway collects statistical 
information pertaining to network traffic and receives queries from a control center to 
communication the statistics to the control center. 

The exammer relic-; on Pearson's RMC as the control center, arguing that: . reaves 

series «r iittfroctioin fr>n» the control center; feol.7, lines 55-»2; col.9. lines 1 1-1?; fKi.l (controtter ill); unti co!.29, 
iitses 48-50; Fessrson discloses the remoter monitoring tenter (RMC) 130 comprises several components U;at provide 
t«nc««»»;is> $«r cstm ing «wi vartrros task* (c«»l.«, iiaes 42-55). The RMC is the claimed control cen(e« where the 
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i.'i)K;)?iiJ!!;>!!«!! kssivCJ t a. > <n... > !«'i«iii>ic,u!(ii,'. it o«! U<e RMC ^<>S <5 li!)vi 52 ami cot Hi, If:jes2{?"2«>).' ,! ' 

Appellant again disagrees. With respect to the Pearson teaches that the RMC receives 

alert signals from a supported communication device. According to Pearson: 

1 he follow «Kg action* are exemplary of the mannct in which she RMC L1€ 

fcaiidie-s ass alert jigiiiii revived from a supported CQfmnujiicawm device I'iss 
mosiiiorissg engine 134 associated with the RMC i.3i> receives the alert «ga»i from 
cun-niitiiicatiori device UK> :m<i forwards the aiert, as rvpresetiri-d by dashed arrow 

!56, to selected one of the piarality «>' rtsncsie a«eats i26a, 126b, !26)t. 

fttoniioring engine 1 14 preferably aiso maintains a history «f attacks oh 
iyjs':s«ii«icst!Oi! device 106 by recording inctimirtj' alert sij-r-.aH if! a threat database 
H4 stored in the database furm. 

At col. 7, lines 55-62 Pearson discloses that the RMC receives a message or signal 
indicative of an attack, whereas at col. 9. lines ! 1-17 Pearson discusses attack signatures. 
Similarly, in RG.1 (controller 1 12), Pearson discloses lhat ! 12 receives activation and 
configuration information. While Pearson also discloses that the monitoring engine computer 
1 14 receives threat communications in the form of alert signals from, threaten or attacked 
corcmnaiication devices, Pearson neither describes nor suggests "a communication pro-cess thai 
communicates statistics collected in the gateway from the monitoring process with a control 
center and that receives queries or instructions horn the control center." In essence, Pearson 
neither describes nor suggests that the control, center queries the gateway for the statistical 
inibnnaSios;. 

The examiner's reliance on teachings from Pearson, directed to the alerf. signals, is 
misplaced. The alert signals result from attack signature analysis that determines that an alert 
should be raised. In contrast, claim 1 by its very terms is directed to communicating statistics 
collected in the gateway to the control center as part of an analysis that may be conducted by the 
control center to detect an attack. Thereafter, the control center and or the gateway can raise 
alerts, etc., as in Pearson, but that raising of alerts Is a recited feature of this claim. 

In contrast, Cheritou is directed to a stand-alone arrangement, as depicted in Fig. 2. 
Cheriton neither describes nor suggests a control center and a gateway that receives queries or 
instructions iron* the control center. Moreover, Cheriton would have no need to receive queries 
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or tmtrtwJcns a cm the touttol tenter. Indeed, Cheriion neither has a need for nor does Cheriion 
possess any equivalent to the recited coutro! center. 

Therefore, it is dear that Cheriton docs not cure any of the deficiencies in the teachings 
of Pearson because nowhere does Cheriton disclose to query a gateway from a control center for 
statistical information on network flows. 

Chum 1 also requires a filtering process to insert filters on network devices to filter out 
packets that the gateway or the control center deems to be part oi an attack, Pearson does not 
teach to insert tillers, as generally acknowledged by the examiner.'" However, in Pearson, 
(whether at col. 9, lines 1 1-16, col. 16, lines 36-53, or elsewhere) the occurrence of a match 
between a detected signature and one stored in the database raises an event, not a filler. 
Therefore, Pearson fails to teach the "gateway device comprises... a filtering process to insert 
filters on network devices to filter out packets that the gateway deems to be part of an attack." 

Appellant notes that the examiner acknowledges this and relies on Cheriton. However, 
while Cheriion clearly discloses filters, Cheriton does not cure the underlying deficiency in 
Pear-son, Therefore, it is immaterial to patentability whether or nor the combination of Pearson 
and Cheriion teach, the feature of inserting filters, since the remaining features of claim 1 5 clearly 
are neither described nor suggested by any combination of Pearson in view of Cheriton. 

C, " N V > t '! 

For the purposes of this appeal only, claims 2'9 and :>0 oi i« tog*' net v , ,ur v - 
representative of this group of claims. 

Claim 29 is directed to a computer program product fei ,t,rg * \,^ ! o \ > as, 
a denial of service attack. Claim 29 includes instructions . . o no ,u.,^ \ ,»c\,^ *»> » 
the victim site and measure heuristics of the network traffic t • vo^ u<t Ma* ^ ^ > r ' < re ^oj\ 
traffic, communicate statistics collected in the computer de\ <.e ,o a v«nr<*, cent*.* * " .'■to* e e 
packets that the device or control center deems to be part of an attack, 
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V\i^o,\ •> u o»rb ,-atvn v- :ih Clinton, neither describes nor suggests these features, for 
analogous reasons as those given in the Appellant's arguments for claim I . Pearson fails to 
describe or suggest instructions to communicate statistics collected in the computer device to a 
control center. Rather, Pearson discloses "attack signatures." In addition, claim 29 includes the 
feature of" . measure heuristics of the network traffic to provide statistics on the network train 

The examiner argues that: "(coi.6, lines 6~ 19; Pearson discloses & cesnmuakatfoR device 1.0$ is also 
referring is) & j^iev^sj, fhr^.iH, or other tW\nu. sh<» j .misttunuiues <!.j{.i i-mvcea oat or sifcre p : sris, 'Hn* firfcwaii and 
inirasi«ti tkieeiiofi fB«i-ii<»iai:ty c«mma«iea{io» device protects the res««refs of" if am po-eaiiai hackers. Thus., 
the claimed gateway will hereinafter refers to the i t>u* bo'iv * \f p-J a ,iO v ' t 
argument is? not directed to the claimed feature, namely: "measure heuristics of the network 
traffic to provide statistics on the network traffic." The examiner appears to he preoccupied wit! 
communication but does not address that the feature is "monitor network truffle sent to the 
victim site and measure heuristics of the network traffic to provide statistics on the network 
traffic; communicate statistics collected in tiie computer device to a control center ... 

While it is clear that. Pearson combined with Cheriton does not suggest the claimed 
feature of "monitor ... and measure heuristics of the network traffic to provide statistics or- the 
network traffic . . . ." it is equally clear that Pearson combined with Cheriton does not describe: 
'instructions to communicate statistics collected in the computer device to a control center.", as 
discussed above for claim 1. 

Appellant contends therefore that assuming arguendo motivation to combine, which 
Appellant does not. concede, Pearson combined with Cheriton fails to provide a prima iacie case 
of obviousness because no combination of these references suggests "monitor ... and measure 
heuristics of the network traffic to provide statistics on the network traffic and communicate 
sVHic* c^'lec'cd : ^ tV c;T?uter device to a control center." 
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Clam; 2 ran ha Umii» dunn I, aiul recites that: 'The communication process couples to a 
dedicated link to communicate with the control center over a hardened network/' This feature is 
not described by any- combination of Pearson and Cheriton. The examiner contends that: "Sk 

Pesrsoa on coL.1, iiats S9-65 arid wl, i2, :i«t-s 30-3.5; liiscussinsj the os>«Kiu«ica(i(«) process eaopJes t<? a dedic afrd Sissk Mi 
ctJHHKSiiiiCiiK 1 >vith the ewstrol tester over a tj»Mien«J Network,.'" ? " 

The examiner relies on the teaching in Pearson that on waking up. the system sends a 
wake-up signal on an encrypted channel.'* However, that is not what is claimed by Appellant. 
Rather, Appellant claims that the there is "a dedicated link to communicate with the control 
center over a hardened network." The encrypted channel is not a dedicated link and moreover it 
appears that the process occurs at activation, and is not carrying the network traffic of base claim 
1 to the control center. There is no mention in Pearson that the network that the communication 
process uses to communicate with the control center is a dedicated. Rather, it appears to be the 
same network thai is monitored by the "'communi cations device/' 

Oaims,5,,2j),Md.3J, 

For the purposes of this appeal only, claims 5. 20 and 31 stand or lull together. Claim 5 
is representative of this group of claims. 

Claim 5 further limits claim 1 requiring thai the gateway is adaptable to dynamically 
install the filters on nearby routers. The examiner argues that: **&.««.» Cheriton on «.•! 2, hue? :>0-&;i and vo!.5« 

Cheriton discloses; "The system further includes a filter generator operable to geser&te a fete to prevent packets 

contends thai Cheri ton's discussion regarding a filter generator however does not meet the 
claimed element thai the "gateway is adaptable to dynamically install niters on nearby routers. 
Cheriton does not disclose that the gateway installs filters on routers. Rather. Cheriton teaches 
•away from this feature by: 



'*' id. page 9. 

s * Office Actios* page 9. 

17 Cherittas col 2, tines SO- 54. 



Attorney's Docker No.: 12221-004001 




While Chcriton docs mention a filter, and does show a filter on the router and the firewall 
< < x i~> the computer device of Fig. 2. Chcriton does not describe any mechanism that 
v< f > >k oenn » tors installed by the gateway on nearby routers. Appellant contends that it would 
h «. ^ 5oo^ rom any combinution of Pearson with Chcriton to install filters on nearby rosters 
-\!_c > '^i . ^ s not directed to a distributed approach and Pearson neither suggests deployment 
o* to s Hers nor the underlying statistical information by which the niters are generated. 

Claims 6.. n, 9 , 21. 2 3, 24 . ?2. 34 and 35 

For the purposes of this appeal only, claims 6, 8, 9, 21, 23, 24, 32, 34 and ?5 stand or tall 
together. Chun) 6 is representative of this group of claims. 

Claim 6 further limits claim I by reciting that: "the monitoring process detects IP traffic 
and determines levels of unusual amounts of IP fragmentation or fragmented IP packets with bad 
or overlapping fragment offsets." The examiner relies on col. 13. lines 4-29 and col. 1 5, lines 
30-33; of Pearson for this feature. Claim 8 recites that the monitoring process -detects Internet 
Protocol {IP) traffic and determines levels of Transmission Control Protocol ('TCP) or User 
Datagram Protocol (UDP) packets to unused pons., whereas claim \> recites that the monitoring 
process detects IP traffic and determines levels of TCP segments advertising unusually small 
window sizes, which may indicate a load on the data center, or TCP ACK packets not belonging 
to a known connection. 

Claim 6 will be used to argue why Pearson combined with Chcriton fails disclose the 
features of any of these claims. The examiner argues: Pear««s on cai is, Uncs 5.1-67; d}scussitss> th<< 

hum iiorssg pr-scMS dsjefiii iP iraffic and (iett'iniiriesi ievi.-i.s of unusn&i smosissis (if W fi\igf»eHtats<>H or fVagnwiiHtd IP 
$s<icks>is witfe \s&4 or overlapping fragment offsets.*' 

At that passage {«>$. ix, gnu 51-67} Pearson describes: 
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* n»wc >v m ,u v o! ihvJct 170 composes a header field 810, a hody fieid 
828, and a tw«-Siit priority field m. The priority field 826 iu the disctaesd 
embodiment is OtMgnon.', 01=Jow priority, ifi - mH assigned {unused}, and i!=--hJsdi 
priorify. Thi)Si? skt-ied h: the ;irs. >ejii underhand that the prloOsy Held is set irt 
accordance with astr iind/»r predetermined resttote. monitoring s>sfett5 pfelerenccs, 
!«r c&smpk* by establishing certain predetermined prioriiicx for certain types, of 
signatures via a high, medium. <?r low set policy {FIG. 4A), nr by user s>>stiag of 
priority through the advaaet-d options settings (I'lC 4B>. 

Pearson is not referring io statistical information pertaining to any of the features of c'a n 
6. Rather, Pearson disclosed the completion of an cutty in the list >n sxuA M^naurcs \u<uk 
signatures are not statistical information pertaining to packet flows, but instead portions r; the 
packet, e.g., pdyioud and, or header, in any event, the entries described, at that passage in Peai«, n 
neither describe nor suggest: 'levels of unusual amounts of IP fragmentation or fragmenrce P 
packets with bad or overlapping fragment offsets/" 

Similarly, Pearson combined with Cheriton fails to disclose at the cited passages or 
elsewhere that "the monitoring process detects Internet Protocol (IP) traffic and determines 
levels of Transmission Control Protocol (TCPj or User Datagram Protocol (UDP) packets to 
unused ports,"' as in claim 8 or thai '"the monitoring process detects LP traffic and determines 
levels of TCP segments advertising unusually small window sizes, which may indicate a load on 
die data center, or TCP ACK packets not belonging to a known connection," as in claim 9. 

Claims 7 . 22, 33 

For the purposes of this appeal only, claims 7, 22, and 33 stand or tail together. Claim 7 
is representative of this group of claims. 

Claim 7 further limits the gateway of claim 1 by reciting that the monitoring process 
delects internet. Protocol (IP) traffic and determines levels of IP packets that have bad source 
addresses or Internet Control Message Protocol (ICMP) packets with broadcast destination 
addresses. The examiner argues for claim 7 that: "Sb: Pearson o« coi, 17, tines. 35-47 a»« C'heritoa on s.«>i.s, 

tin-.* i-44; dUc»s.<ii»g the ji;o»iiori!i£ process detects interact Protocol (IP) traffic and determines iev^s of IP packet. 1 ; that 
have bad s««rce addresses or Sateraej Control Message Protocol (iCMP) p»ck-.:fs with Iwoadcau destination addrews,." 

Pearson at the cited passages discusses threat events and priority of such events. 
Nowhere however does Pearson discuss '''determines levels of iP packets that nave bad source 



addresses or Interna Control Message Protocol (1CMP) packets sviih broadest destination 

addresses," 

Cheriton, meanwhile discusses the aggregate niters find use of ICMP packets. 
Specilkaily, tho Cheriton discloses: 

Thv ffov uaalvtt-r 122 nionittirs the stiitisiics associated n-iih ikese aggregate 
Sihers l!f. ii" staiisJies associated with an aggregate filter eniry indicate a 
!>;iR :itia! prubtem i>r ju»i as a periodic cheek of the traffic disiribaiioa!. treatsca of 
jseti^nv entries is es-ahled far }wek«.-is matching this entry, CwBscqaet-tf), -he tlo^v 
3ft;sfy>rer ill reives a fhm record I20foreac.fi ffo* sttatthssig this aggregate, thing 
ibis specific fftm in-'ortHaritin, J fie flow generator 124 determines Sow to refine Use 
aggregate fiiter. f/«jr eiarnpffc, the flow labef info.'SKatioa »«> indicate thai »u»f 
iGVJi* packets arc cowing from a particular source aiitiress. hi ihis cast, She flow 
gcjseramf 124 can configure an aggregate Mlfer i() that sjiaicfies fCMP packets iVosa 
that source, establishing a separate polieer inr that fitter or poiet-tiiiifj just backing 
Shi: source The origins! jggct'gatc filter is preferably t etaified as «i-siS so that afi 
other iOMP traffic raatthw to this (sriyimii filter. The flow atsaiyier J22 the;! 
maritior ■ht? staftstses of the iSi-ighiai aggregate filter wish she offending host 
retsiov-sd, ;o (Select wJiiilfter there are further attortiaiie.s >siffsia the aggregate ftoW' 

Thus, according to Cheriton, the How analyzer receives a flow record for uv, . f o^ a d 
uses, e.g., ICMP packets iron; a particular address to indicate source of an att ack. \ \f iun 
claim 7 specifically recites to 'vletenninc levels of iP packets thai have bad source »d -on 
Internet Control Message Protocol (ICMP) packets with broadcast destination adu ,^vv 
Therefore, the purported combination of Pearson and Cheriton whether at the eite^ - vo< ^ * 
elsewhere neither describes nor suggests these features. 

Claims j 0, 25 ana. .? 6 

For the purposes of this appeal only, claims H), 25. and 36 stand or lalt together Claim 
25 is representative of this group of claims 

Claim 25 limits claim 16, and recites that monitoring comprises "detecting sustained rate 
higher than plausible lor a human user over a persistent HTTP connection, 7 ' The examiner 

Contends thai: "a, per ciaisi 10. Seo Pearson on coi. Ii!, lines ?.?-3S and Oiortsof' os col, S. lines .?f.M4; ii^nisshig 
»y.-»i!oria« pr-sees* detect!. s-jstaiavii rate higher tfiaa piaasibfefor a hitman user i-ver a persis-eat IH'fP c 

At ct>i. 10, noes? ?3-38, Pearson discusses user changing a security policy of a net 



Cheriton Col, 7, Itm Sh to Col. 8, tine 10. 
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;o'<-\aiKe io the claimed ioatu^e. Cheriton at col, is, lines 30-44 discusses configurations 

to the sysLCffi that may also be used "t» aaKwnalfcally rec»gnize ftmhtr .« nurture to network traffic that dots 

jio; nt-tessarSiy repast .•!» atJatk <»r a failure." Chert ton uses a search engine spider as an example 
where Chwrttan would automatically detect, a high demand source u I" this nature, and the filter 
generators would automatically reconfigure the niters to handle this demand.. However these 
teachings in Cheriion also do not address the claimed feature. 

ChcritOS also discusses that "the system can be a&ecl t» identify sources that appear so represent 
excssslve traffic. aitwv&g aggregate filters to h* created that separate them out of the overall aggregate asuf throttle, their 
traffic appropriately. Tbt$t siiiers H> cats ais» he automatically removed «vh«.-n the associated traffic drops off, bawd ob 
tfct- statistics associated vs ith the itlcnfillbti flow. 1 hus, for ex ample, once a search engine Onhhes its searching at a web 
site, tlse f-Uses- 10 creased for it tatiicates ih&t traffic has dropped foecasiw oi' tfte iovver rate and the sptL it sf filter east he 

reda«ned. ,! However, litis again is in the context of throttling the aggregate filter and is not pan of 
the monitoring that produces statistics (sustained rate higher than, plausible for a human user over 
a persistent HTTP connection of claim 7.) used lor filtering out packets that the gateway or 
control center deems to be pan of an attack. 

Ci.uni.ll 

Claim 1 1, which recites thai the "monitoring process maintains statistical summary 
information of traffic over different periods of time and at different, levels of detail," is neither 
described nor suggested by Pearson combined with Cheriion. The examiner relics on Pearson 
col. i 1, lines 8-1 2 and Cheriion col .7, lines 32-65 for this feature. Ln the cited passage from 
Pearson, the reference discusses user selecting security policies, not maintaining statistical 
summary information on traffic over different periods of time 

Cheriion col. 7. hires 32-65 are reproduced below; 

The initial class of packets 7$ to be analyzed is selected based os statistic 
associated with tat aggregate filters, as, described below. Thy data which is to be 
;i;.5::iyj:;.ii is periodically changed or updated to further refine a fiSter once it has 
i>eea generated. For example, a first class of packets 78 raa> foe analyzed for 0.5 
second then a next class of packets anai>/vti for the nttxt 0,5 sv.uauh. The hsitia! 
biters JO may be configured according to tsser ■specified eijofigora'hfns t;r dd'aoi- 
values. The flew analyzer 122 aad lifter generator 124 thea ase. the asaiweo flow to 
determine if the exiting filers need to he refined or new fitters need to be 
generated. Based on the analyzed flan, the filter "encrat&r 124 will tell (or modify; 
the ACL classifier 80. which then affects the netiiow eatries t\m are created. The 
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dsss oi packets 78 selected may ho based on » chiss of packets which have bcva 
:detu:Kct! as potentially harmful, or may be randomly ehosesi. The ACL classifier 80 
!»:»>•. f»r example, befcia by fooking ai flows 64 for all packets 78 received from a 
sosisee with an IP address having the fortn 3.>:ss:..%<«,xo, where xs* represents any 
passible value from zero to 2S5. it' a protdcro is identified in one of She paeket.s 
streams 64. the ACL classifier 80 way be then »«<u«cteU to look at flows for ail 
packets 78 received from a source having ;ia IP address of 3.141. $xh.x\l. This may 
be narrowed down farther jo refine the filter 10. 

The How atiaiyzer 122 monitors the statistics associated with these aggreg.ru 
filters 10. If the statistics associated with an aggregate filter eatry iddicate a 
potential problem (sir just as a peritidit cheek of tbt- traffic dNtribtition}, ereurioti of 
Bstfiow entries is tmahkd tor packets matching this entry. Cofisemamtly, the flow 
a-salwer 122 receives a flow record 120 for each flow matching this aggregate. 
this specific flow informal tim, the How generator 124 determines ho*v to refine the 
egs>iegate filter. For exaaspie, the How label iaformation may indicate that most. 
SCM? packets are coming from s particular source address, in this case, the Slow 
generator !24 cao eoafigtire a« agjjtegafe f titer 10 that matches 1CMP packets from 
thai sosrrce, establishing a Sirparaie politer for that filter or yjotentisffy j«si blocking 
I hi> source. The original aggregate filler is preferably massed as «eH so thai alt 
other ICMP traffic matches to this original fitter. The flew analyzer 122 can then 
m*-«f!or the stjtiifirs oi'ihi. original aggregate filter with the offending host 
sctisoved. to dc-eef wfiethct there are furlaer anomalies within the aggregate fiow. 



Claim 1 1 is neither described nor suggested by these teachings whether taken separately 
or in combination with Pearson or any other teaching in Cheriton. Claim 1 1 call? for 
^monitoring process maintains statistical summary information of traffic over different periods 
of Ume and at different levels of detail" Nowhere does Cheritoa teach to maintain statistical 
information or a summary of the information over different periods of time and different levels 

of detail. Cberkon teaches: ''The data which is to be analyzed is periodically changed or updated to farther refine 
a filter «!K>_> it h:ss been generated, for example, » first, class of packets 78 may be analyzed for <?-5 smrad thets a next 

class of packets aaaiymi for the next t>.5 seconds." Cheriton thus discloses to change data to be analyzed, 
e.g., to refine the lifters and monitor different classes of packets. However, Cheriton does not 
teach "monitoring process maintains statistical summary information of traffic over different 
periods of time and at different levels of detail", as called for in claim 1 1. 



i'laims i 2, 26 und.i~ 



For the purposes of this appeal only, claims i 2, 26 and 37 stand or fall together. Claim 
12 is representative of this group of claims. 

Claim 12 sets forth some of the parameters fet \\b:c: *Iu*is:kV ir» <nu:\'isr <* p:t*juJ 
by the monitoring process. Claim 12 leeites "«!ausuv* on pai ami tors jJ\w \<u\; <a:d 
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o A <■ n \ J i » t u v« »vU r \ combination of Pearson and Cher! ton either describes 
or suggests maintaining statistical information on these specific parameters. 

The examiner relies on "Cheruon on col. 5, lines 20-25 and col. 7, lines 32- eolii line 10T 
However, at these passages and elsewhere Chcriton does not describe the claimed features, 
Clinton at col. 5, lines 20-25 discusses to allow specific source addressee to access specific 
destination addresses and at 7. lines 32- col. 8, line 10 discusses statistics of the aggregate filters, 
bet does not mention maintaining statistics on these specific parameters. 

OMMM.il-. 27 jnd. 38 

For the purposes of this appeal only, claims 13, 2? and 38 si and or tali together. Claim 
13 is representative of this group of claims. 

Claim 13 recites that the "monitoring process has configurable thresholds and issues a 
warning when one of the measured parameters exceeds the corresponding threshold," The 
examiner relies on Pearson col. 8, lines 1 0-32 and ail. I?, lines 1 -10 for this feature. However, at 
col. 8. lines 10-32 Pearson discusses intrusion detection and attack signatures, not measured 
parameters, whereas at col. i7, lines 1 -1 0, Pearson discusses different event threat levels. 
Pearson does not compare measured parameters to thresholds at those passages. Thus, neither at 
those passages nor elsewhere does Pearson suggest the "monitoring process has configurable 
thresholds and issues a warning when one of the measured parameters exceeds the corresponding 
threshold." 

Claim 15 

Claim 15 recites that the: "monitoring process logs specilic packets identified as part of 
an attack to enable an administrator to identify important properties ofthe attack.*' This feature 
directed to examining of specific packets further distinguishes over the cited art since it requires 
both the monitoring to produce statistical information on network flows and examination of 
specific packets. 
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Chnu J'- ! distinguishes o\er the combination of Peaivors visb Clvni-'n. s;oco She 
v'OsuHuauoi- acidier describes nor suggests "... m*nui.\\m\\ in cause the processor t<; tveesvt. 
eonimunieabVfis nvui a i-Oijfrol comer to deliver data pcruming to the types of traffie pj^mxt 
Ihrousdi the »ate\\ayf " 1 Neither Pearson non Chcmon taken :r* am combinative ^luge^s rhe 
fcanno of kv iv...e;\<..- com-rn^iieariovus flora a control center to deliver data," „*s ^cae-aHs discussed 
above. 

Conclusion 

Appellant submits, therefore, that Claims J -3 9 are neither described by nor obvious over 
any purported combination of Vcarson in view of Chcriton and are otherwise allowable over the 
cited art. Therefore, the Examiner erred in rejecting Appellant";' elakns and should be reversed. 

R espeet fu i i y sabi ni t ted, 

Dae: * _ ,. ____ 

Denis G. Midoriey 
Reg. No. 29,670 £/ 



Fi?h & Richardson P.C. 
.225 Franklin Street 
Boston, MA 02 i 10-280-1 
'kiephore <6 ") >42-^;> 
Facsimile; (617) S42-W>6 



* ia claim 39 there- is m\ as«ece4e»t basis for "processor" aad ''gateway," bus functionally those are equivalent tc 
fee ''coinpuimg device" recited in base claim 29. Appellant will assead this chim after the Beard's decision. 
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Appendix of Claims 

1 . A gateway device disposed between a data center and a network tor thwarting 
dental of service attacks on the data center, the gateway device eo.tnpri.ses: 

a computing device comprising: 

a monitoring process that monitors network traffic through the gateway; 

a communication, process thai communicates statistics collected in the gateway from the 
monitoring process with a control center and that receives queries or inductions from the 
control center; and 

a altering process to insert filters on network devices to filter out packet? thai the 
gateway deems to he part of an attack. 

2. The gateway of claim 1 wherein the communication process couples io a 
dedicated link to communicate with the control center over a hardened network. 

3. The gateway of ciarm 1 wherein the monitoring process in the gateway samples 
network packet How in the network. 

4. The gateway of claim I. wherein the gateway is adaptable to be physically 
deployed in line in the network. 

5. The gateway of claim 1 wherein, the gateway is adaptable to dynamically install 
the filters on nearby roisters. 

6. The gateway of claim 1 wherein the monitoring process detects IP traffic and 
determines levels of unusual amounts of IP fragmentation or fragmented IP packets with bad or 

o verlapping fragment offsets. 



7. The gateway of claim I wherein the monitoring process detects internet Protocol 
tutt;c o=nd determines levels of iP packets that have bad source- addresses or Internet Control 
\!cv\u:t Piotocol (5CMP) packets with broadcast destination addresses. 

i wherein monitoring process detects Internet Protocol (IP) 
emission Control Protocol (TCP) or User Datagram Protocol. 

9, j v e < u ' n wherein monitoring process detects IP traffic and 
determines levels of TCP segments advertising unusually small window sizes, which may 
indicate a load on the data center, or TCP ACK packets not belonging to a known connection. 

1 0. The gateway of claim 1 wherein monitoring process detects sustained rate higher 
\ A ktsm s. o i »<v ^ > se-i i n vi a pu-^tun ) 1 1 i* J v> uKv v 



'K, 1 5 



K , v. < o o{ ,n v hv em u\m >m u> p « hii i - -i / s ^ . ^ a < 
■ v ou', J Uuem p v i >K ot * n <. ^ id J I u'k iK t do ... 



1 5. The gateway of claim 1 4 wherein monitoring process logs specific packet* 
identified as par; of an attack to enable an administrator to identify important properties of the 

attack. 

16. A method of protecting a victim site during a denial of service attack, comprise 
disposing a gateway device between the victim site and a network; 
monitoring network traffic through the gateway and measuring heuristics of the netwoi 

traffic to provide statistics network traffic: 

communicating the statistics collected in the gateway to a control center: and 
filtering out packets that the gateway or control center deems to be pari of an attack. 

1 7. The method of claim 1 6 wherein communicating occurs over a dedicated link U 
the control center via a hardened network. 

18. The method of claim 1 6 wherein monitoring samples network packet Dow in th 
network. 

' ) v'i o< „ dan i i \% leui* 'Um^v <o .s pi N v. ! N a^p.o o i J iC t 

network. 

"*0 The method o{ dama lo v-Vsem filtent^ iunhei' comprise 
vi sranuuiS'^ installing inters on nearby i outers via an out of hana \.cn:ieaion 

t 1 Ue metb ft claim , f • w heiein mom tot tag iiuthet -..u-np: j ; vs 
duostim; IP irat'ie at-.d determining k-xels of unusual amount a* % IP ft a emo. itat.cn <n 
fra^menkd sk rvkxe'o with had ;-i o\eil'ippn.g fiaginc-m orisets 



he med.od ^a" chum Id wheiem momtoi rag further ..o:^prs-ie.-> 



so '^e ,ioJ~*.vscs . > *\ . « , i m' \bi r oto^e eat^v ^fk t\oae"v v 

v aoJ oo > '' n vieir 1 nor i to i ic -u,'iKr or,> < \> 

Jc^Um.. .^er-ne* Ki v„oi (IP) In ttit. t .ad OoKtir.u\r.i.; ! .a>>p >- 

Preioe-i (Ill's or I °ei Diagram Pivtocol I "OP packets H> united potts 

T:4 r he method of cLiifii !>'-> wlterdn itu'witon;^ iunhc (..ompnses 

deieU5ne IP traffic ar.d dctenmno levels of TCP cement 0 - acn erdsnig uni v -n/ 

W5 xlov/ \-h\ci\ ma> mdicatc a load on the data center, or VCP ACK p.icKets >v' v os„ c " 

t-- a kn^vMi connection. 

2:5. ris-.' method of claim i 6 Vi.u-n.-tn nionhomj? Purine? *.vmpn"-V:>: 
deteUtng a summed rate id reload ivqutsts that is higher -ban phn^hle tor .i human ti 
'"■ser a persistcr H PPP connection. 

lu fhe method of daim 1 o wlierem monitoring iurher comprises; 
lo?,yjag^i t ruM;Ci on parameter 0 - including source and de^unatmn host or neivvvrk 
add;e°-ses, p-HoeoK Upes of packed number of open connections or of packet 0 °eut in citin. 



2~. The method of claim lo wlieivm monitoring ihr'her eompn-x;.o 
isnum^. a v- ammg to the control (.enter w heu one of the measured parameters e\eeeas ; 
corresponding ccmfiguraMe .threshold. 

-|\^ >q^\d\ Jl )i ic 1 \ in 1 eta; t t \t'Mi «J< ^kh e 
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29. A computer program product residing on a computer readable medium for 
protecting a victim site during a denial of service attack', comprises instructions for causing a 
computer device coupled at an entry to the- site to: 

monitor network traffic sent to the victim site and measure heuristic* of the network 
■ raffie to ^f-Hole ^nkvies on Uw neiwork traffic 

communicate statistics collected in the computer device to a control center; and 

filter out packets that the device or control center deems to be part of an attack. 

50, The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

sample network traffic flow, 

31 . The computer program product of claim 29 wherein instructions to filter further 
comprise instructions to: 

dynamically install filters on nearby routers via an out of band connection. 

32. The computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 



determine levels of unusual amounts of IP fragmentation or fragmented IP packets with 
bad or overlapping fragment offsets. 

33. "Ihe computer program product of claim 29 wherein instructions to monitor 
further comprise instructions to: 

detect Internet Protocol (IP) traffic; and 

determine levels of IP packets that have bad source addresses or internet Control 
Message Protocol i iCMP) packets with broadcast destination addresses. 



detect IP traffic; and 



.is \ \ I Wkei No P ? 21 -0O4O0! 



i o^nuf i i . t p.oduv.^i c n 2 () *„K*:»\n ns^eno, >- ,o m, vto. 
u 'so 1 o t jni wno-j u 

^tu r*e« ot 1 oto.o ^ 5 -tlix. .nd 

i: u' o\' v h iAiiOoii m j .tfcul ' 0 or User Datagram Protocol UDP 

35. 'The computer program product, of claim 29 wherein instructions to monitor 
further comprises instructions to: 

detect if traffic; and 

determine levels of TCP segments advertising unusually small window sizes, which may 
indicate a load on the data center, or TCP ACK. packets not. belonging to a knows! connection. 

36. The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

detect a .sustained rate of reload requests that is higher than plausible for a human user 
over a persistent HTTP connection. 

37. The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

log statistics on parameters including source and destination host or network addresses, 
protocols, types of packets, number of open connections or of packets sent m either direction. 

38. The computer program product of claim 29 wherein instructions to monitor 
further comprises instructions to: 

issue a warning to the control center when one of the measured parameters exceeds a 
c* nrespondi o g con iigura hie threshold . 



39. The computer program of claim 2° iurt.v.r o-T.tpr.stng n^-iioVii- to cau.>e the 
processor to receive communications from a conttol vcntc: to < telnet duia poUcrung to 'he Hpos 
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of traffic passing through the gaicway. 
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1 s!^ i* :m 



None 
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